The ThreatFox: ServHelper IOCs rule detects potential adversary activity associated with the ServHelper malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise network security and exfiltrate sensitive data.
IOC Summary
Malware Family: ServHelper Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | pssoduvnzud.xyz | botnet_cc | 2026-06-09 | 100% |
| domain | dsfamsi4b.cn | botnet_cc | 2026-06-09 | 100% |
| domain | asfjjasguasus.xyz | botnet_cc | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ServHelper
let malicious_domains = dynamic(["pssoduvnzud.xyz", "dsfamsi4b.cn", "asfjjasguasus.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs ServHelper.exe as part of a routine system maintenance or update process.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Microsoft Endpoint Protection Scan
Description: Microsoft Defender or another EPP tool uses ServHelper.exe as part of its internal scanning or quarantine process.
Filter/Exclusion: process.parent_process_name == "MsMpEng.exe" or process.image contains "Microsoft Defender"
Scenario: Admin-Initiated File Cleanup
Description: An administrator uses a legitimate cleanup tool (e.g., CCleaner, Disk Cleanup) that may invoke ServHelper.exe for temporary file management.
Filter/Exclusion: process.parent_process_name contains "ccleaner.exe" or process.parent_process_name contains "cleanmgr.exe"
Scenario: Legitimate Third-Party Software Integration
Description: A third-party enterprise application (e.g., SQL Server, Exchange, or VMware Tools) includes ServHelper.exe as part of its service management.
Filter/Exclusion: process.parent_process_name contains "sqlservr.exe" or process.parent_process_name contains "vmtoolsd.exe"
Scenario: User-Initiated Process Launch via Command Line
Description: A user or script explicitly launches ServHelper.exe for a legitimate purpose, such as running a service configuration tool.
Filter/Exclusion: process.command_line contains "runas" or process.user contains "Administrator"